Google-Symantec Dispute Over Certificate Validity Illustrates Trust Issues, AEI Fellow Says

fellow, in a Tuesday blog post. Google said last week its Chrome web browser will begin applying special scrutiny to Symantec-issued certificates because it no longer has “confidence in the certificate issuance policies and practices of Symantec.” Symantec-issued certificates didn’t accurately identify the certificate’s owner in some cases, Google said. Websites with Symantec certificates “will need to pay for more renewals and perhaps will need to switch to certificates from another vendor,” Rabkin said. “Symantec itself will doubtless have increased costs or lost business.” Google “has no evident legal obligation to trust Symantec’s certificates. Manufacturers have no general duty to make interoperable products,” Rabkin said. “When Apple changes its laptop design and previous third party add-ons no longer work, the add-on vendors cannot sue for lost business.” Congress and the FTC shouldn't impose a standard of care on certificate authorities in response to the dispute because “the technology ecosystem changes too quickly, the level of harms here are fairly small, and the cost of regulation is potentially high,” Rabkin said. The companies are having "an ongoing discussion, and we look forward to continuing our conversations with Symantec about this issue," a Google spokesman said. "We want to enable an open and transparent assessment of the compatibility and interoperability risks, relative to potential security threats to our users." Symantec didn’t comment.